Protecting reputation through risk management

This issue summary is reprinted from copyrighted material published by Crowe Horwath LLP.

Reputation is a valuable asset, but protecting it presents many challenges. How does an organization identify and quantify risks to its reputation? How are such risks monitored and managed? How should a business respond when new risks arise?

Applying sound risk management practices can help organizations of all types address such questions more effectively.

Value of your organization’s reputation

In today’s environment, an organization’s reputation is more valuable than ever. In 2011, for example, Richard Branson’s Virgin Group generated more than £13 billion in annual revenues simply by licensing to other companies the rights to the Virgin brand, which retails a high level of customer loyalty—a clear demonstration of the value of a brand and the reputation that creates it.1

More recently–and on an even larger scale–Toyota made headlines in 2014 by reclaiming its spot as the world’s most valuable automotive brand. According to the brand valuation consultancy Brand Finance, Toyota rebuilt its brand value to $34.9 billion in part through a concerted reputation-building initiative after several high-profile recalls in recent years. 2

Reputation consistently ranks high among shareholders’ concerns. Specialty chip maker Audience suffered a drop in stock price of more than 25% in mere seconds after a false Twitter report that the company was being investigated for fraud. 3

Reputation also matters greatly to employees and potential employees. A recent MIT Business School study found that 96% of the students responding to the survey said that reputation was an important factor in their choice of potential employer and that a company’s corporate, workplace, and social reputations account for 16.3% of the value that job candidates look for as they consider a potential employer—second in importance only to salary and compensation. 4

Major contributors to reputation risk

Risks to reputation can take many forms. Examples include fraud and overtly illegal acts, lapses in trust, breakdowns in operations, and customers’ changing values and attitudes, all of which can affect reputation quickly and directly. These historical risks are exacerbated by several macro trends in today’s economy:

A volatile environment

As part of the recruitment message for its M.B.A. program, Babson College frequently cites this eye-catching statistic: More than 40% of the companies in the Fortune 500 in 2000 were no longer there by 2010. 5 A similar analysis led Forbes magazine to publish an article with the apocalyptic headline, “The End Is Near: Why 70% of the Fortune 1000 Will Be Replaced in a Few Years.” 6 Regardless of the precise rate of turnover, it is clear that the pace of change in today’s economy is accelerating.

Sudden shifts in reputation contribute to this volatility. Retailer Abercrombie & Fitch provided a clear example in 2013 when it suffered a dramatic drop in reputation after comments from its CEO saying he didn’t want “fat” or “not so cool” kids wearing the company’s clothes. According to brand researcher YouGov BrandIndex, Abercrombie & Fitch’s consumer perception among 18- to 34-year-olds dropped from relatively neutral to highly negative in just two weeks. 7

Growth of social media

The Abercrombie & Fitch incident also demonstrates the importance of another major contributor to reputation risk: the rise of social media. The comments that triggered the negative reaction actually had been made years earlier, but when they resurfaced in an online article in Business Insider, 8 they generated strong social media reactions.

One YouTube video criticizing the company generated 4.5 billion views.

Another popular online site, socialnomics.net, cites additional indicators of the power of social media. For example 10 :

• If Facebook users were all located in a single country, they would be the third most populous country in the world, second only to China and India.

• Every second, two people join the LinkedIn business networking site.

In the past, investors who were uneasy about a company’s reputation most likely would react by moving their money to other, less volatile businesses. Today, however, more shareholders stay invested but demand action from company management.

For example, in 2013, shareholders at the annual meeting of Dominion Resources introduced resolutions aimed at tying executive compensation to sustainability goals and requiring the company to report on financial risks related to climate change. These moves reflected concerns related to the company’s reputation and its effect on share value. 11

Shareholder activism is not confined to environmental issues. Businesses are being pressed to take visible steps to demonstrate sensitivity to a whole range of social, governance, and corporate responsibility issues.

For example, when releasing its 2012 annual report, JPMorgan Chase pointed out that it had increased its lending to small businesses by 18%, provided billions in funding to low- and moderate-income individuals or communities, and donated more than $190 million to not-for-profit organizations—all actions that clearly are designed to have a positive effect on the bank’s reputation. 12

Increasing dependence on third parties

According to a recent survey conducted jointly by The Institute of Internal Auditors Research Foundation and Crowe Horwath LLP, more than 65% of organizations today rely “heavily” on third parties—and nearly 75% of the respondents said their organizations have experienced some type of harm from the action or inaction of a third party.13

Today’s global supply chains compound the risk. The April 2013 collapse of the Rana Plaza garment factory building in Bangladesh drew worldwide attention to working conditions in the area—and to the dozens of U.S. companies that sourced clothing from Rana Plaza.

The tragedy also demonstrated how difficult it can be to reverse reputation damage. More than 30 companies signed a legally binding agreement requiring them to conduct independent safety inspections and cover the costs of needed repairs. But several prominent retailers held back—and have come under fire for doing so. 14

What’s more, although it might seem that the simplest solution would be just to sever ties with such risk-prone suppliers, one Fortune 100 company ended up drawing criticism for its decision to pull out of Bangladesh. Activists contended the company should have stayed and worked to improve conditions. When it comes to managing reputation risk, it appears that there are no simple answers.

Increased regulatory action

The risk of damage to reputation due to regulatory action also is escalating, as are the associated costs. A 2014 study of prosecutions under the U.S. Foreign Corrupt Practices Act (FCPA) found that, of 143 anti-bribery enforcement actions that have been taken against publicly traded companies since the FCPA was enacted in 1977, 64% have occurred just since 2007. 15

The study by three university business schools went on to observe: “Firms that are caught and face enforcement action for bribery … face significant costs that average 5.1% of market capitalization, including 3.3% in direct costs and 1.0% in reputation losses.” 16

Information breaches

An especially serious reputation risk in the information age relates to data loss or security breaches. A 2014 Ponemon Institute study analyzed the costs incurred by 314 companies after they experienced the loss or theft of protected personal data. In addition to the expenses related to detecting and responding to security breaches, the study examined the economic impact of lost or diminished customer trust as measured by customer turnover or churn. The study found that the average total cost of a data breach incident at a U.S. company was $5.9 million, not including any fines that might be levied in connection with the breach. 17

Reputation: More than a public relations concern

In the introduction to “Enterprise Risk Management: From Incentives to Controls,” author James Lam notes that “the only alternative to risk management is crisis management—and crisis management is much more expensive, time consuming, and embarrassing.” 18

One shortcoming that causes organizations to lapse into crisis management rather than risk management is the tendency to regard reputation risk as primarily a public relations function.

The public relations group has a major role to play in helping to manage reputation risk, but effectively managing it requires companywide commitment and effort.

No matter how well the public relations engine runs, if the rest of the business is not prepared to support the brand promises that the public relations team makes, the entire effort can be derailed by a single adverse incident.

Another overlooked risk is the damage that competitors can do to a business’s reputation. Even if competitors do not attack directly, their actions can affect the reputation of an entire industry or sector.

On the other hand, in some cases a competitor’s stumble can present an opportunity to contrast a company’s approach and improve the company’s reputation by comparison.

Enterprise Risk Management approach to reputation

ERM enables management to look at things that could happen—such as supply chain disruption or a competitor going out of business—and define the associated risks of such an event, determine the organization’s risk appetite, and develop systems for managing or mitigating the risks.

An effective ERM program can result in a resilient organization that makes sound strategic decisions, typically choosing among five high-level approaches to an identified risk:

1.Avoid: Exit activities that give rise to the unacceptable risk.

2.Reduce: Take action to reduce either the likelihood or the impact of the risk.

3.Share: Transfer all or part of the risk burden to a third party.

4.Accept: Retain the risk, and take no action to affect its likelihood or impact.

5.Exploit: Pursue an opportunity that involves strategically choosing exposure to a known risk (for example, entering a growing market in a politically unstable country) while actively managing the exposure that accompanies the choice.

The application of ERM principles to reputation risk not only provides an effective method for addressing risk but also helps to confirm that such risk is integrated fully into the core business risk management framework rather than simply handed off to the public relations function.

Leading and lagging indicators

Effective risk management depends on the ability to identify growing or imminent risks early enough to mount an effective response.

In monitoring potential risks to reputation, it can be useful to distinguish between leading and lagging indicators.

For example, sales numbers and customer complaints reflect changes in reputation among an organization’s customers, but they are basically lagging indicators—they tell you how your reputation has fared in recent months.

On the other hand, leading indicators such as customer referrals and repeat sales can provide insights into future trends as well as areas of potential strength and weakness.

The exhibit shows examples of leading and lagging indicators of reputation risk among various stakeholder groups.

The distinction between leading and lagging indicators is not always clear. For example, market capitalization can be both a lagging and a leading indicator of reputation risk among shareholders. Market capitalization obviously reflects past actions, but it is also driven by investor opinion of the company’s likely future performance.

Stakeholder engagement

Stakeholders such as customers and employees are not only an important target audience in managing reputation risk—they also can be powerful allies. Organizations that take a genuinely proactive approach to reputation risk should plan on approaching and engaging these stakeholders.

Popular tools for engaging customers include brand or reputation surveys as well as customer satisfaction and service follow-up calls. Talent and human resource planners employ similar tools to gauge employee attitudes, recognizing that there is a strong relationship between employees who feel empowered and customer-oriented and customers who are loyal and satisfied.

Forrester Research, for example, has identified a number of attributes that are powerful contributors to a feeling of engagement on the part of employees: 19

• Purpose: to participate in something larger than ourselves

• Mastery: the desire to become better at something that matters

• Autonomy: the human need to direct our own lives

• Belief: in both the mission and the value of the individual’s contribution

• Vision: a clear path to the future for those who build the right skills

• Empowerment: the ability to use one’s knowledge to direct an outcome

Measuring and reinforcing these attitudes can strengthen reputation among employees.

Turning risk into opportunity

Ultimately, the objective of an ERM approach to reputation risk is to move beyond damage control and take a more proactive approach.

The response of Hancock Bank in the wake of Hurricane Katrina offers an excellent example. Ninety of the Gulf Coast regional bank’s 103 branches suffered damage in the storm, and many branches lost connection to their main data center. Meanwhile, residents in the bank’s major markets were without power, water, and many other essentials—and desperate for cash to make purchases.

The bank responded by rallying busloads of employees from less affected areas, opening makeshift branches, helping businesses meet payrolls, waiving ATM and overdraft fees, and serving customers and noncustomers alike from mobile banking units. The bank circulated cash by using money from ATMs and vaults and even set up a washing machine to literally launder money that had been contaminated by overflowing sewage.

With limited access to technology, bankers tracked loans on paper, providing cash to anyone who needed it, including $3.5 million to people who were not even customers. Eventually all but $300,000 of the millions of dollars in loans was repaid. More important, in the four months following the storm, the bank grew by $1.6 billion—more than it had grown during the previous 95 years—as grateful new customers opened accounts, reflecting the power of a proactive approach to potential reputation risk. 20

Hancock Bank’s example not only illustrates reputation’s value but demonstrates how it is possible to proactively manage reputation risk through the use of sound ERM principles. By embracing these principles, actively monitoring leading indicators of reputation risk, and engaging stakeholders in a coordinated effort to identify and respond to such risks, a business can more effectively protect one of its most valuable assets—its reputation.